CVE Catalog

CVE-2026-6739

MediumCVSS 6.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile — higher than 15% of all known CVEs

Summary

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.16 fail to require system-level permission when patching protected default system roles. This allows authenticated users with delegated user-management permissions to escalate privileges by altering built-in role permissions via the role patch API.

Risk Assessment

The organization may be exposed to unauthorized privilege escalation, which could lead to serious security breaches and loss of control over the system.

Recommendation

It is recommended to update Mattermost to the latest version to mitigate this vulnerability and review user permissions to limit the potential for privilege escalation.

Original NVD description (English source)

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to require system-level permission when patching protected default system roles, which allows authenticated users with delegated user-management permissions to escalate privileges by altering built-in role permissions via the role patch API.. Mattermost Advisory ID: MMSA-2026-00656

Vulnerability data from NVD (NIST) · CISA KEV · EPSS